12.1 Web App Concepts
Introduction to Web Applications
- Web applications provide an interface between end users and web servers through a set of web pages that are generated at the server end or contain script code to be executed dynamically within the client web browser.
Web applications為提供end users與web servers間的溝通界面
- Though web application enforce certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, session hijacking, etc.
雖然web application有實施某程度的安全政策,但它們還是很容易遭遇到像SQL injection、XSS和session hijacking等攻擊。
- Web technologies such as Web 2.0 provide more attack surface for web application exploitation.
像Web 2.0的技術反而帶來遭遇到更多的攻擊層面
- Web applications and Web 2.0 technologies are invariably used to support critical business functions such as CRM, SCM, etc. and improve business efficiency.
How Web Applications Work
Web Application Architecture
Web 2.0 Applications
- Web 2.0 refers to a generation of Web applications that provide an infrastructure for more dynamic user participation, social interaction and collaboration.
- It offers various features such as:
- Interoperability:
- Advanced gaming
- Dynamic as opposed to static site content
- RSS-generated syndication
- User-centered Design:
- Social networking sites (Flickr, Facebook, del.cio.us)
- Mash-ups (emails, IMs, electronic payment systems)
- Wikis and other collaborative applications
- Google Base and other free web services (Google Maps)
- Collaboration on the Web:
- Ease of data creation, modification, or deletion by individual users
- Online office software (Google Docs and Microsoft Light)
- Interactive encyclopedias and dictionaries
- Cloud computing websites such as Amazon.com
- Interactive Data Sharing:
- Frameworks (Yahoo! Ul Library, jQuery)
- Flash-rich interface websites
- Mobile application (iPhone)
- New technologies like AJAX (Gmail, YouTube)
- Blogs (Wordpress)
- Interoperability:
Vulnerability Stack
Stacks | Services |
---|---|
Level 7 | Custom Web Applications: Business Logic Flaws Technical Vulnerabilities |
Level 6 | Third Party Components: Open Source / Commercial |
Level 5 | Database: Oracle / MySQL / MS SQL |
Level 4 | Web Server: Apache / Microsoft IIS |
Level 3 | Operating System: Windows / Linux / OS X |
Level 2 | Network: Router / Switch |
Level 1 | Security: IPS / IDS |